[6.0.x] Fixed CVE-2025-13473 -- Standardized timing of check_password() in mod_wsgi auth handler.

Refs CVE-2024-39329, #20760. Thanks Stackered for the report, and Jacob Walls and Markus Holtermann for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 3eb814e02a4c336866d4189fa0c24fd1875863ed from main.
author: Jake Howard <git@theorangeone.net> 2025-11-19 16:52:28 +0000
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-02-03 07:59:11 -0500
commit: d72cc3be3be0bbebdcaea5a8c8106b4d6f2a32bd (patch)
tree: 7d6c6bc141ac431b0dd65ec0131c0c72beac9dbc /docs
parent: d64ef2429f43cc69a9d5f491650734bb3c51c21d (diff)
3 files changed, 30 insertions, 0 deletions
diff --git a/docs/releases/4.2.28.txt b/docs/releases/4.2.28.txt
index 8c6d4a2a1d..9f6d5cb152 100644
--- a/docs/releases/4.2.28.txt
+++ b/docs/releases/4.2.28.txt
@@ -7,3 +7,13 @@ Django 4.2.28 release notes
 Django 4.2.28 fixes three security issues with severity "high", two security
 issues with severity "moderate", and one security issue with severity "low" in
 4.2.27.
+
+CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler
+=================================================================================================
+
+The ``django.contrib.auth.handlers.modwsgi.check_password()`` function for
+:doc:`authentication via mod_wsgi</howto/deployment/wsgi/apache-auth>`
+allowed remote attackers to enumerate users via a timing attack.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/5.2.11.txt b/docs/releases/5.2.11.txt
index 545a7aeb70..f975e45166 100644
--- a/docs/releases/5.2.11.txt
+++ b/docs/releases/5.2.11.txt
@@ -7,3 +7,13 @@ Django 5.2.11 release notes
 Django 5.2.11 fixes three security issues with severity "high", two security
 issues with severity "moderate", and one security issue with severity "low" in
 5.2.10.
+
+CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler
+=================================================================================================
+
+The ``django.contrib.auth.handlers.modwsgi.check_password()`` function for
+:doc:`authentication via mod_wsgi</howto/deployment/wsgi/apache-auth>`
+allowed remote attackers to enumerate users via a timing attack.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/6.0.2.txt b/docs/releases/6.0.2.txt
index 7dd10dbb4e..ba39f74082 100644
--- a/docs/releases/6.0.2.txt
+++ b/docs/releases/6.0.2.txt
@@ -8,6 +8,16 @@ Django 6.0.2 fixes three security issues with severity "high", two security
 issues with severity "moderate", one security issue with severity "low", and
 several bugs in 6.0.1.
 
+CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler
+=================================================================================================
+
+The ``django.contrib.auth.handlers.modwsgi.check_password()`` function for
+:doc:`authentication via mod_wsgi</howto/deployment/wsgi/apache-auth>`
+allowed remote attackers to enumerate users via a timing attack.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
+
 Bugfixes
 ========
author	Jake Howard <git@theorangeone.net>	2025-11-19 16:52:28 +0000
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-02-03 07:59:11 -0500
commit	d72cc3be3be0bbebdcaea5a8c8106b4d6f2a32bd (patch)
tree	7d6c6bc141ac431b0dd65ec0131c0c72beac9dbc /docs
parent	d64ef2429f43cc69a9d5f491650734bb3c51c21d (diff)